![](\"https:\/\/media.wired.com\/photos\/623a5aeeb1c15e50702785cf\/master\/pass\/Internet-Satellite-Hack-Security-949366626.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess| Date: Wed, 23 Mar 2022 11:00:00 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n More than 22,000<\/span> miles above Earth, the KA-SAT is locked in orbit. Traveling at 7,000 miles per hour, in sync with the planet\u2019s rotation, the satellite beams high-speed internet down to people across Europe. Since 2011, it has helped homeowners, businesses, and militaries get online. However, as Russian troops moved into Ukraine during the early hours of February 24, satellite internet connections were disrupted. A mysterious cyberattack against the satellite\u2019s ground infrastructure\u2014not the satellite itself\u2014plunged tens of thousands of people into internet darkness.<\/p>\n Among them were parts of Ukraine\u2019s defenses. \u201cIt was a really huge loss in communications in the very beginning of war,\u201d Viktor Zhora, a senior official at Ukraine\u2019s cybersecurity agency, the State Services for Special Communication and Information Protection (SSSCIP), reportedly said<\/a> two weeks later. He did not provide any more details, and SSSCIP did not respond to WIRED\u2019s request for comment. But the attack against the satellite internet system, owned by US company Viasat since last year<\/a>, had even wider ramifications. People using satellite internet connections were knocked offline all across Europe, from Poland to France.<\/p>\n Almost a month after the attack, the disruptions continue. Thousands still remain offline in Europe\u2014around 2,000 wind turbines are still disconnected in Germany\u2014and companies are racing to replace broken modems or fix connections with updates. Multiple intelligence agencies, including those in the US and Europe, are also investigating the attack. The Viasat hack is arguably the largest publicly known cyberattack to take place since Russia invaded Ukraine, and it stands out for its impact beyond Ukraine\u2019s borders. But questions about the details of the attack, its purpose, and who carried it out remain\u2014although experts have their suspicions.<\/p>\n Satellite internet connections are often used in areas with low cable coverage, and they are used by everyday citizens as well as official organizations. The setup is different from your typical home or office Wi-Fi network, which mostly rely on wired broadband connections. \u201cSatellite communications are composed of three main components,\u201d says Laetitia Cesari Zarkan, a consultant at the United Nations Institute for Disarmament Research and a doctoral student at the University of Luxembourg. First, there is the spacecraft that\u2019s in orbit, which is used to send \u201cspot beams\u201d back to Earth; these beams provide internet coverage to specific areas on the ground<\/a>. These beams are then picked up by satellite dishes on the ground. They can be attached to the sides of buildings, or on planes to power in-flight Wi-Fi. And finally there are ground networks, which communicate with and can configure people\u2019s systems. \u201cThe ground network is a collection of earth stations connected to the internet by fiber-optic cables,\u201d Zarkan says.<\/p>\n Aside from Zhora\u2019s comment, the Ukrainian government has remained tight-lipped about the attack. However, satellite communications, also known as satcom, appear to be frequently used in the country. Ukraine has the world\u2019s most transparent system<\/a> for tracking government spending, and multiple<\/a> government<\/a> contracts<\/a> show<\/a> that the SSSCIP and police have purchased the technology. For instance, during Ukraine\u2019s 2012 elections, more than 12,000 satellite internet connection points were used to monitor voting, official documents<\/a> spotted by European cybersecurity firm SEKOIA.IO show<\/a>.<\/p>\n \u201cTo disrupt satellite communications, most people\u2014myself included\u2014would look at the signal in space, because it's exposed,\u201d says Peter Lemme, an aviation specialist who also writes about satellite communications. \u201cYou can transmit signals toward the satellite that would effectively jam its ability to receive signals from legitimate modems.\u201d Elon Musk has claimed<\/a> that Starlink satellite systems he sent to Ukraine have faced jamming attacks.<\/p>\n However, the attack against Viasat may not have involved jamming. The attack against the network was a \u201cdeliberate, isolated, and external cyber event,\u201d according to Viasat spokesperson Chris Phillips. The attack only impacted fixed broadband customers and didn\u2019t cause disruption to airlines or Viasat\u2019s US government clients<\/a>, the company says, and no customer data was impacted. However, people\u2019s modems have not been able to connect to the network, and they have been \u201crendered unusable<\/a>.\u201d<\/p>\n On Tuesday, Viasat chair Mark Dankberg told a satellite conference<\/a> that the company purchased the KA-SAT in Europe last year, and its customer base is still being operated by a third party as part of the transition. \u201cWe believe for this particular event it was preventable, but we didn't have that capability in that case,\u201d Dankberg said, confirming that thousands of modems were taken offline. \u201cIn most of the cases of the modems that went offline, they need to be replaced. They can be refurbished, so we're recycling modems,\u201d Dankberg said.<\/p>\n \u201cThere is no evidence to date of any impairment to the KA-SAT satellite, core network infrastructure, or gateways due to this incident,\u201d Phillips says in a statement. Instead Viasat says the cyberattack was the result of a misconfiguration in a \u201cmanagement section\u201d of its network, as first reported by Reuters<\/a>. The company declined to provide any more details on the technical nature of the incident, citing ongoing investigations. Viasat says it is now focusing on recovering from the partial outage.<\/p>\n No government has officially attributed the attack to Russia, despite speculation it may have caused the attack to disrupt communications in Ukraine. Dankberg told CNBC on Monday<\/a> that he couldn\u2019t confirm whether Russia was behind the attack, and that governments would be the source of such attribution. It is rare for governments to quickly attribute cyberattacks<\/a> to a country or actor, as investigations are complex and take time to complete.<\/p>\n However, Western officials say the attack would be in keeping with Russia\u2019s playbook. \u201cWere it to be attributed ultimately to Russia, it would very much fit within what we would expect them to do, which is to use their cyber capabilities to ultimately support their military campaign,\u201d Western officials told reporters during an on-background briefing last week. The US National Security Agency (NSA), and ANSSI, France\u2019s cybersecurity agency, are investigating the hack<\/a>. The US Federal Bureau of Investigation has issued an advisory<\/a> with the US Cybersecurity and Infrastructure Security Agency (CISA) that warns of satcom hacks. \u201cCISA remains concerned about the threat to US and allies\u2019 satellite communications networks,\u201d Eric Goldstein, CISA's executive assistant director for cybersecurity, said in a statement.<\/p>\n Hacking threats to satcom aren\u2019t new. In 2014 security researcher Ruben Santamarta published research<\/a> showing the many ways satellite communications could potentially be hacked. In 2018, Santamarta\u2019s follow-up research<\/a> demonstrated how this could be done, including a focus on satellite systems in military situations. Santamarta says it is possible the attackers in the Viasat case\u2014although their identity and motive is unknown\u2014may have been able to deploy a malicious firmware update<\/a> that sabotaged customer modems.<\/p>\n \u201cWe have the option that the intended goal of the attackers was to actually break the terminals in order to disable the communications,\u201d Santamarta says. \u201cOr maybe they were expecting to deploy a specific payload to maybe eavesdrop on communications and something went wrong and the terminals were bricked. At this point, we don't know what really happened.\u201d<\/p>\n While many of the details of the Viasat hack are still unraveling\u2014independent security researchers are examining the code on bricked modems\u2014its impacts have been widely felt. The cyberattack appears to be a prominent example of spillover, where an attack spreads, either intentionally or accidentally, beyond its original target. In the months leading up to Russia\u2019s invasion of Ukraine, cybersecurity experts and governments warned that spillover damage is a huge international threat.<\/a> In June 2017, for example, Russia\u2019s NotPetya worm<\/a> spread beyond its original targets in Ukraine and caused more than $10 billion of damage around the world.<\/p>\n \u201cIt looks like the clearest example of spillover, whether it was or was not the most disruptive activity that was undertaken at the time,\u201d Western officials say of the Viasat incident. The fallout seems to have spread far and wide. Satellite internet providers in Germany, the UK, France<\/a>, the Czech Republic, and more saw their services impacted by the outage. Users on a satellite internet forum reported problems as far away as Morocco<\/a>. \u201cIt's hard to go for a week without the internet, but if there is no other alternative access, you just have to wait,\u201d one user in Poland complained<\/a>. The EU Agency for Cybersecurity, which is also investigating the incident, says it is aware of 27,000 users impacted by the outage, a figure first reported by WIRED Italy<\/a>.<\/p>\n In one of the first signs the hack was taking place, more than 5,800 wind turbines belonging to the German energy company Enercon were knocked offline. The disruption did not stop the turbines from spinning, but it means they can\u2019t be reset remotely if there is a fault, says Enercon spokesperson Felix Rehwald. So far Enercon has managed to get 40 percent of the affected turbines back online, and its teams are replacing their satellite modems. \u201cWe do not believe that it was aiming at us or our customers. It seems that we are sort of \u2018collateral damage,\u2019\u201d Rehwald says.<\/p>\n The recovery from the incident is likely to take more time. Viasat says it is getting hundreds of customers online every day and providing people with new modems or issuing software updates that can fix their systems remotely. Jaroslav Stritecky, the CEO of Czech internet provider INTV, says the company has been contacting all of its satcom customers to see if they need new modems, \u00a0and it will likely need to replace the majority of those that were affected. Stritecky says the work may be completed by the end of March. \u201cThe question is if there are enough new modems to provide or to support everyone,\u201d he adds.<\/p>\n